Cache unit useful for secure execution

ABSTRACT

A cache unit that is configured to retain: a plurality of cache blocks; a plurality of owner indicators, and a plurality of validity marks. For each cache block of the plurality of cache blocks exists a corresponding owner indicator in the plurality of owner indicators. An owner indicator corresponding to a cache block is capable of identifying an entity that caused the cache block to be fetched to the cache unit. For each cache block of the plurality of cache blocks exists a corresponding validity mark in the plurality of validity marks. A validity mark corresponding to the cache block indicates whether a validation process performed on the cache block upon fetching thereof was successful. The cache unit may be useful for secure execution.

TECHNICAL FIELD

The present disclosure relates to computing in general, and to securecomputing in a potentially untrusted environment, in particular.

BACKGROUND

In current computing environments, many programs are being executed onservers, other remote computing devices, or other remote executionplatforms, such as part of the cloud. The user sends a program,comprising code and data, for execution. It can be provided, forexample, as files on a disk or via a network, and program output iscollected similarly. In some cases, the program may be installed onceand works perpetually, possibility sending back output to the user fromtime to time. The computation tasks entrusted with such remote executionplatforms may include processing of confidential or otherwise sensitivedata, that sometimes should not be divulged, and while ensuring that thedata is not manipulated or altered by another. In some cases, theprogram itself may contain trade secrets, such as confidentialalgorithms. The program should therefore not be viewable by unauthorizedentities. Furthermore, unauthorized entities should not be allowed toalter the program itself.

The remote execution platform may serve concurrently multiple users andexecute their respective programs. A user cannot trust that other userswill not attempt to gain access to her sensitive data, such as bymanipulating their software to access its data. Furthermore, any othersoftware being executed on the execution platform, even if provided withunrestricted permissions, is also not to be trusted. The OperatingSystem (OS), hypervisor, Virtual Machine Monitor (VMM) cannot betrusted, such as in case of an execution platform offered by anuntrusted vendor.

Secure execution platforms are currently provided, where the owner ofthe platform is not trusted, but the processor's manufacturer is. Intel™Software Guard Extensions (SGX)™ is an example of such a hardware-basedsolution providing a secure execution platform. However, SGX directlysupports only programs written especially for it, and suffers fromperformance and scalability problems, and lack of support ofconventional programs and programming models (e.g. conventionalmulti-threading).

BRIEF SUMMARY

One exemplary embodiment of the disclosed subject matter is a cache unitcomprising computer readable medium, wherein said cache unit isconfigured to retain: a plurality of cache blocks; a plurality of ownerindicators, wherein for each cache block of the plurality of cacheblocks exists a corresponding owner indicator in the plurality of ownerindicators, wherein an owner indicator corresponding to a cache block iscapable of identifying an entity that caused the cache block to befetched to the cache unit; and a plurality of validity marks, whereinfor each cache block of the plurality of cache blocks exists acorresponding validity mark in the plurality of validity marks, whereina validity mark corresponding to the cache block indicates whether avalidation process performed on the cache block upon fetching thereofwas successful.

Optionally, a first dataset and a second dataset concurrently resideunencrypted in the plurality of cache blocks, wherein the first datasetis associated with a first entity, wherein the second dataset isassociated with a second entity, wherein the second entity is prohibitedfrom accessing the first dataset.

Optionally, the first entity is prohibited from accessing the seconddataset.

Optionally, the first dataset comprises one or more cache blockscomprising program instructions that are to be executed by the firstentity, and wherein the first dataset comprises one or more cache blockscomprising data that is written by the first entity.

Optionally, a key storage may retain a plurality of keys, each of whichis associated with a different entity, wherein the validation process isperformed using a key retained in the key storage, wherein the key isassociated with the entity, wherein the key storage and the plurality ofcache blocks are retained in a secure storage. Optionally, the securestorage is may by on the processor, off-the processor, or the like.

Optionally, a Security Management Unit (SMU) comprised by an apparatuswhich comprises the cache unit, is configured to perform the validationprocess upon fetching of a cache block into the cache unit.

Optionally, said SMU is further configured to sign a cache block uponcache block eviction from the cache unit to produce a signature, whereinthe validation process is based on the signature produced by said SMUupon eviction.

Optionally, said SMU is configured to utilize the plurality of ownerindicators and the plurality of validity marks to enforce accessprivileges to the plurality of cache blocks.

Optionally, said SMU is configured to bypass the access privileges inresponse to receiving an instruction for execution selected from a listof secure instructions.

Optionally, wherein the list of secure instructions comprises: a securestore instruction configured to store data in a manner allowing it to beaccessible in security domains different than a security domain in whichthe secure store instruction is executed; a secure load instructionconfigured to load data stored in security domains different than asecurity domain in which the secure load instruction is executed; and aninitialization instruction configured to initialize allocated memory tobe used by an entity executing the initialization instruction.

Optionally, said SMU is configured to enforce access privileges thatcouple instructions and data retained in the plurality of cache blocksusing the plurality of owner indicators and the plurality of validitymarks.

Optionally, said SMU is configured to assign and set values to theplurality of validity marks and to the plurality of owner indicatorsduring fetching of corresponding data blocks into said cache unit,wherein said SMU is configured to encrypt a cache block upon evictionfrom said cache unit into a computer-useable medium, and wherein saidSMU is configured to decrypt a data unit upon fetching the data unitfrom the computer-useable medium into said cache unit.

Optionally, said SMU is configured to encrypt the cache block uponeviction from said cache unit only in response to the cache block beingassociated with a validity mark indicating a successful validationprocess of the cache block.

Optionally, an execution unit comprised by an apparatus which comprisesthe cache unit, comprises a set of registers for retaining values,wherein the set of registers are configured to be used during executionof instructions by said execution unit. Said execution unit isconfigured to receive an instruction, an instruction validity mark, andan instruction owner indicator, wherein the instruction is aninstruction to be executed by said execution unit and configured to readfrom a cache block in the plurality of cache blocks, wherein theinstruction validity mark is a validity mark that corresponds the cacheblock, and wherein the instruction owner indicator is an owner indicatorthat corresponds the cache block; and wherein said execution unit isconfigured to erase content in at least a portion of the set ofregisters based on at least one of the instruction validity mark and theinstruction owner indicator.

Optionally, the execution unit is configured to erase the content in atleast a portion of the set of registers based on the instructionvalidity mark indicating an unsuccessful validation process of theinstruction.

Optionally, said execution unit is configured to erase the content in atleast a portion of the set of registers based on the instruction ownerindicator indicating a different owner than a second instruction ownerindicator associated with a previous instruction preceding theinstruction.

Optionally, said execution unit is configured to copy the content of theat least a portion of the set of registers to a secure storage prior toerasing the content, wherein said execution unit is configured torestore the content of the at least a portion of the set of registersfrom said secure storage in response to receiving a second instruction,a second instruction validity mark and a second owner indicator, basedon the second instruction validity mark indicating a successfulvalidation process of the second instruction and based on the secondowner indicator indicating a same owner as a third owner indicator thatis associated with a third instruction preceding the instruction.

Optionally, said execution unit is configured to verify that anattribute of the second instruction matches an expected attribute,before restoring the content of the at least a portion of the set ofregisters.

Optionally, the attribute of the second instruction is an address of thesecond instruction, and wherein the expected attribute is an expectednext address.

Optionally, the content is values of a proper subset of the set ofregisters, whereby protecting values of a portion of the set ofregisters excluding the proper subset from being accessed byunauthorized instructions, and whereby enabling passing of argumentsfrom secure domain to unsecure domain via the proper subset.

Another exemplary embodiment of the disclosed subject matter is a methodcomprising: obtaining an instruction for execution from a first cacheblock; obtaining a first validity mark and a first owner indicatorassociated with the first cache block; in response to the instruction,when executed, attempting to access a second cache block: obtaining asecond validity mark and a second owner indicator associated with thesecond cache block; determining an access privilege of the instructionto the second cache block based on at least two of the first validitymark, the first owner indicator, the second validity mark and the secondowner indicator; and enforcing the access privilege.

Optionally, said determining the access privilege comprises determiningto prevent access in response to at least one of the following: thefirst validity mark and the second validity mark indicate successfulvalidation and the first owner indicator is different than the secondowner indicator; the first validity mark indicates unsuccessfulvalidation and the second validity mark indicates successful validation;and the first validity mark indicates successful validation, the secondvalidity mark indicates unsuccessful validation and the instruction isnot selected from a predetermined group of secure instructions.

Yet another exemplary embodiment of the disclosed subject matter is amethod performed by a processor, wherein the processor comprising acache unit retaining a plurality of cache blocks and a set of registers,wherein said method comprising: obtaining a first instruction forexecution from a first cache block; obtaining a first validity mark anda first owner indicator associated with the first cache block;determining a first security domain based on the first validity mark andthe first owner indicator; executing the first instruction to set afirst state of the processor; obtaining a second instruction forexecution from a second cache block; obtaining a second validity markand a second owner indicator associated with the second cache block;determining a second security domain based on the second validity markand the second owner indicator; in response to determining the secondsecurity domain is different than the first security domain: storing, ina secure storage, content of at least a portion the set of registers;storing, in a secure storage, an address of next instruction in thefirst security domain; and after said storing content and storing theaddress, modifying the content of the at least a portion of the set ofregisters; after said modifying, executing the second instruction to seta second state of the processor; obtaining a third instruction forexecution from a third cache block; obtaining a third validity mark anda third owner indicator associated with the third cache block;determining a third security domain based on the third validity mark andthe third owner indicator; in response to determining the third securitydomain is the first security domain: restoring, from the secure storage,the content of the at least portion of the set of registers, therebyrestoring the first state of the execution unit; and verifying anaddress of the third instruction matches the address of the nextinstruction in the first security domain retained in the secure storage;and executing the third instruction on the first state of the executionunit.

THE BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

The present disclosed subject matter will be understood and appreciatedmore fully from the following detailed description taken in conjunctionwith the drawings in which corresponding or like numerals or charactersindicate corresponding or like components. Unless indicated otherwise,the drawings provide exemplary embodiments or aspects of the disclosureand do not limit the scope of the disclosure. In the drawings:

FIG. 1 shows a block diagram of an apparatus, in accordance with someexemplary embodiments of the disclosed subject matter;

FIG. 2 shows a block diagram of a Security Management Unit (SMU), inaccordance with some exemplary embodiments of the disclosed subjectmatter;

FIG. 3 shows a block diagram of a cache unit, in accordance with someexemplary embodiments of the disclosed subject matter;

FIG. 4 shows a block diagram of an execution unit, in accordance withsome exemplary embodiments of the disclosed subject matter;

FIGS. 5A-5B and 6 show flowchart diagrams of methods, in accordance withsome exemplary embodiments of the disclosed subject matter.

DETAILED DESCRIPTION

One technical problem dealt with by the disclosed subject matter is toprotect data used by a processor or generated thereby, such as cacheddata, against forbidden access. In some cases, a shared executionplatform may be used. The shared execution platform may executemalicious software at the same time a user-program is being executed.The malicious software can potentially have any software-basedprivileges, may be part of the Operating System (OS), may operate inkernel mode with administrator permissions, may be implemented as partof the VMM or hypervisor, or the like. In some cases, the owner of theshared execution platform herself may be untrusted and she may beassumed to try to or assist in attacking the executed code, such asreading the code, altering the code, accessing or modifying data used bythe code, or the like.

In some exemplary embodiments, only the hardware or a specific hardwarecomponent, such as a processor, may be trusted in the shared executionplatform. It may be desired to protect the integrity of an applicationrunning on the shared machine, even if that machine is compromised orotherwise untrusted. The integrity of the application may be protectedby detecting alterations of the application itself or the data used bythe application. In some cases, it may be further desired to protect theconfidentiality of the data being processed by the application, theconfidentiality of the application, or the like.

Another technical problem dealt with by the disclosed subject matter isto enable a secure execution platform providing tamper detection andprevent access to the code or data used or produced by a program, in anefficient manner. Some naïve solutions adversely affect performance ofthe secure execution platform, such as by incurring significant area andprocessing overhead. In one naïve solution, protected data and code aretransferred to a secure dedicated memory region. However, such asolution requires migrating data back and forth from the secure memoryregion to other regions specifically for the purpose of providing secureexecution, and provides for a coarse granularity of protection, such asassuming a same permission to all data and code retained in thededicated memory region at the same time.

Yet another technical problem dealt with by the disclosed subject matteris to provide for a secure execution platform that can execute generalcode and would not require manually using of a specific instruction setassociated therewith, or manually introducing security-instruction intothe code itself, forcing the programmer to consider security aspectsassociated with the secure execution platform.

One technical solution provided by the disclosed subject matter is acache unit to be used in a secure execution platform. The cache unit maybe a computer-readable medium used by a processor, such as for retainingdata used in the processing or for storing results of the processing.The disclosed subject matter is not limited to CPU cache, but forsimplicity of the disclosure, the specification focuses on suchembodiment. The CPU cache may retain data that is fetched from memory tobe processed by the processor, and retains outputs of the processorbefore being stored in other memory regions, such as RAM memory orpersistent storage.

In some exemplary embodiments, the cache unit may retain metadata atcache block granularity. Each cache block is associated with an OwnerIdentifier (OI) and a Validation Mark (VM).

The OI indicates which entity is responsible for a cache block. Forexample, which process has written the data into the cache block, whoseprogram code is retained in the cache block, or the like. The OI may be,for example, a process identifier.

In some exemplary embodiments, the VM may indicate whether a key-basedvalidation process of the cache block was successful. The key-basedvalidation process may utilize a key associated with the owner of thecache block. In some exemplary embodiments, a cache block may be signedwhen evicted from the secure cache to unsecure memory. The signature mayutilize a secret key and may be based on the content of the cache block,address (virtual or physical) used to determine the placement andlocation of the block outside the cache (e.g., when evicting the blockor when fetching), or the like. In some exemplary embodiments, thesignature of the cache block may be later used, when the same block isfetched back into the cache, to validate the content of the block wasnot tampered with. In some exemplary embodiments, the VM may be a onebit flag that is either set (e.g., 1) if the validation process wassuccessful or unset (e.g., 0), if the validation process failed. In someexemplary embodiments, some of the cache blocks retained in the cacheunit may not be associated with secure programs. For such cache blocks,the OI may indicate that they are not protected, they may not have anassociated secret key, the VM may be constantly set to 0, or the like.

In some exemplary embodiments, an embodiment may utilize a combinedmetadata variable to indicate values of both OI an VM, such as using abyte to represent OI and having a predetermined value, such as 0represent false VM and otherwise VM is deemed as true. In accordancewith the disclosed subject matter, such an embodiment may still beviewed as comprising both a VM and OI although such metadata isrepresented using a combined single variable.

In some exemplary embodiments, the OI and VM cannot be forged. Theircontent is examined by trusted hardware, retained in secure storagelocations that are only accessible to the trusted hardware. In someexemplary embodiments, the marks may be generated using a cryptographicmechanism.

In some exemplary embodiments, a hardware device, such as a CentralProcessing Unit (CPU), an Integrated Circuit (IC), a processor, or thelike, in accordance with the disclosed subject matter may comprise thecache unit. The hardware device may be configured to automatically hideregister values on a first invocation of an untrusted instruction,thereby protecting the register values of protected code. The registervalues may be restored when a next trusted instruction is performed. Asthe hardware unit handles the hiding of the register values, it does notrely on an OS to perform such actions upon context switches. Thoughduplicative operations may be performed (e.g., that of the hardwaredevice itself, and that which the OS causes using OS code), this ensuresthat the values in the register are protected even when a malicious OSis installed.

The hardware device may be configured to block untrusted memory-accessinstructions from accessing trusted cache blocks. The VM and OI metadatamay be used to enforce an access control to the cache that couplesvalidated instructions and validated data. The hardware device mayretain data and code of different, potentially adversarial programs, atthe same time in the cache unit and enforce desired access privileges ata cache block level granularity, and without requiring flushing cachecontent upon switching from one secure program to another. Furthermore,the same cache may be used to retain code and data of differentprotected programs that are also protected from each other, as well asunprotected data and code.

Keys may be retained in a key storage. In some exemplary embodiments,the key storage may retain secret cryptographic keys for encryption anddecryption, signing and validation, alongside with an owner indicationof each key. In some exemplary embodiments, only a designated componentof the hardware device, such as a Security Management Unit (SMU) mayread the content of the key storage. In some embodiments, the keystorage may support write requests by the program, such as performedover a secure link. Additionally or alternatively, the key storage maycontain pre-written keys that cannot be rewritten by anyone.

In some exemplary embodiments, the SMU may be configured to set thevalue of VM and OI. In some exemplary embodiments, the SMU may beconfigured to encrypt and decrypt data blocks when migrating from and tothe cache unit. The SMU may sign blocks being migrated from the cacheunit and perform the validation process when the block is fetched backinto the cache.

One technical effect of the disclosed subject matter may be providing anefficient secure execution hardware-based platform. In some exemplaryembodiments, the secure execution platform may be capable of hiding theregister's data relatively fast, such as within about a single clockcycle. The disclosed subject matter may further provide for an efficientcontext switches without requiring cache manipulations upon contextswitches, let alone complete flushing of the cache. Such potentiallysignificant overhead associated with switching from or to trusted codemay therefore be avoided.

Another technical effect may be the ability to use general purpose code.In some exemplary embodiments, the security mechanisms may be hiddenfrom the program. The programmer may not need to modify the applicationcode to utilize an execution platform in accordance with the disclosedsubject matter. The same cannot be said about other secure executionplatforms, such as INTEL™ SGX™. In some exemplary embodiments,pre-processing may be performed so as to modify the code to allow forauthorized code to communicate with unauthorized code, such as forinvoking a system call and passing arguments thereto via registers, forinitializing newly allocated memory that is allocated by the OS for theauthorized program, or the like.

Yet another technical effect is providing the desired solution in arelatively simple manner, which requires minimal changes to externalmodules. In some exemplary embodiments, the disclosed subject mattermonitors and controls some in-chip channels. The disclosed subjectmatter may rely on such in-chip channels, and avoid having to make anymodification in the rest of the system. Such aspect may be of importanceas it reduces development complexity and Quality Assurance (QA) effortsrequired for such embodiments.

The disclosed subject matter may provide for one or more technicalimprovements over any pre-existing technique and any technique that haspreviously become routine or conventional in the art.

Additional technical problems, solutions and effects may be apparent toa person of ordinary skill in the art in view of the present disclosure.

Referring now to FIG. 1, showing a block diagram of an apparatus, inaccordance with some exemplary embodiments of the disclosed subjectmatter.

A Processor 100, or other similar apparatus, such as a microprocessor,an electronic circuit, an Integrated Circuit (IC) or the like, may beconfigured to execute instructions. Processor 100 may be coupled toUnprotected Memory 150, capable of retaining data in a computer-useablemanner. In some exemplary embodiments, Unprotected Memory 150 may be aRandom Access Memory (RAM). In some exemplary embodiments, UnprotectedMemory 150 may retain data obtained from persistent long-term storage,such as a Hard Disk Drive (HDD), a Flash drive, a Network AttachedStorage (NAS), or the like. For simplicity, but without limiting thedisclosed subject matter to such embodiment, Unprotected Memory 150 isshown as being retained externally to Processor 100. However, thedisclosed subject matter is not limited to such an embodiment, and insome cases, and Processor 100 may comprise Unprotected Memory 150 orportion thereof. It is further noted that the trusted portion of thememory, which is protected from unauthorized access thereto, may or maynot reside on a single processor. In some cases, some protected memorymay be retained externally to Processor 100. However, for the simplicityof the disclosure, the specification focuses on the embodiment where thetrusted portion of the memory is retained on Processor 100.

Processor 100 may comprise Cache Unit 110. Cache Unit 110 may be ahardware cache used by the Processor 100. In some exemplary embodimentsCache Unit 110 may be utilized to store instructions and input data tosuch instructions or output data determined by such instructions. Ifdata that is required by Processor 100 is not in Cache Unit 110 (e.g.,cache miss), the data may be fetched and stored in a cache block withinCache Unit 110. Upon such fetching, a different cache block may beevicted, and potentially stored in secondary memory, such as UnprotectedMemory 150. In some exemplary embodiments, Cache Unit 110 may bephysically or virtually addressed. In some exemplary embodiments, CacheUnit 110 may be organized as a hierarchy of several cache levels (e.g.,L1, L2, or the like). In some exemplary embodiments, some of the cachelevels may not be trusted and may be handled similarly to UnprotectedMemory 150. In some exemplary embodiments, in case there is more thanone protected cache level, the level-to-level communication betweenprotected cache levels may carry metadata alongside the actual blocks,such as VM and OI values. When crossing the boundary from an unprotected(and untrusted) cache level to a protected cache level, VM and OI may becomputed. For simplicity, but without limiting the disclosed subjectmatter to such embodiment, the disclosure below addresses a cache unithaving a single cache level.

In some exemplary embodiments, Cache Unit 110 retains in addition to thedata in the cache blocks themselves additional metadata for each datablock. Each data block in the cache may be associated with a VM, whichmay be a single bit. Additionally or alternatively, each data block inthe cache may be associated with an OI. In some exemplary embodiments,the VM and OI may be stored alongside the cache block. Additionally oralternatively, the VM an OI may be stored separately from the cacheblock such as in a different protected storage module within Cache Unit110.

In some exemplary embodiments, in order for the data in Cache Unit 110to be useful for computations, the data may reside in the cache in anunencrypted manner.

Execution Unit 130 may be configured to execute instructions. Theinstructions may be fetched from Cache Unit 110. Data manipulation maybe performed on Cache Unit 110 and registers, such as when executingload instruction (ld), store instruction (st), instructions thatmanipulate content of registers, or the like. In some exemplaryembodiments, Execution Unit 130 retains registers. In some exemplaryembodiments, the registers may be used to retain data that is loadedfrom memory, manipulated, or stored to memory, based on programinstructions. In some exemplary embodiments, the registers may be viewedas indicating a machine state of the Processor 100. As the machine stateof Processor 100 may provide useful insights into the operation of aprotected program and potentially reveal data processed thereby,Execution Unit 130 may be configured to selectively hide content of theregisters when a security domain is switched. The security domain may bedefined by the VM and OI. For example, a first security domain is of avalidated version of a program owned by a first owner. A second securitydomain is of an invalidated version of the program owned by the samefirst owner. A third security domain may be of a second owner.

In some exemplary embodiments, SMU 120 or portions thereof may belocated in between Cache Unit 110 and Memory Controller 140. Upon acache miss occurring in Cache Unit 110, SMU 120 may be requested tofetch a block into Cache Unit 110. SMU 120 may utilize Memory Controller140 to obtain the data block from Unprotected Memory 150. SMU 120 mayvalidate the identity content of the block by comparing a predeterminedsignature thereof with a signature SMU 120 computes. Based on suchkey-based validation process, VM of the cache block may be set. In someexemplary embodiments, SMU 120 may identify the owner and set the valueof OI.

In some exemplary embodiments, SMU 120 may be configured to encrypt datablocks that are evicted from Cache Unit 110 and are transferred from thetrusted area to untrusted memory area, such as Unprotected Memory 150.In some exemplary embodiments, SMU 120 may be configured to decryptencrypted data blocks that are fetched into the Cache Unit 110. In someexemplary embodiments, SMU 120 may determine whether or not to decryptthe encrypted data blocks based on values of the VM, the OI, combinationthereof, or the like.

In some exemplary embodiments, SMU 120 may utilize any memory encryptionand authentication techniques that provide memory confidentiality andintegrity breech indication. As an example, Message Authentication Code(MAC) may be used for signing data blocks. In some exemplaryembodiments, a counter mode (CM) technique for memory encryption may beused. In some exemplary embodiments, CM encryption may protect thememory at cache block granularity by assigning a seed value (e.g., 64bits) for each block's virtual address. In some exemplary embodiments,these seeds are cached. Additionally or alternatively, an integritypreserving structure (such as a hash tree) with an in-chip root valuemay be used to keep the integrity of the data blocks or CM seeds whilein the untrusted memory. The root hash may be retained within a trustedarea, such as located within the chip or externally thereto and coupledto SMU 120 via a secure channel. In some exemplary embodiments,integrity preserving structure may be a hash tree that is used formaintaining the integrity of the seeds, so that an old data block withits corresponding old seed cannot be injected into untrusted memory. Insome exemplary embodiments, integrity preserving structure may be a hashtree that is used for maintaining the integrity of the data blocks, sothat an old data block that may be injected into untrusted memory wouldbe identified as a tampered-with block. The blocks of the integritypreserving structure may also be cached, so only missing nodes of theintegrity preserving structure (rather than the entire hash tree) mayneed to be validated when fetched.

In some exemplary embodiments, CM encryption and the integritypreserving structure may require memory for metadata (e.g., encryptionseeds and a hash tree). In some exemplary embodiments, the memory maynot be protected, because an attacker is unlikely to successfully injectcorrect values without holding the secret keys. In some exemplaryembodiments, these small regions may be allocated and zeroed at thesecure program's request. In some exemplary embodiments, if the OS failsto cooperate, an error may be detected upon access. In some exemplaryembodiments, SMU 120 may perform these operations using metadata (e.g.,secret encryption and authentication keys) stored securely for eachsecure program during its setup.

It will be noted that although Processor 100 is generally consideredhardware, some of its components may be implemented using software,firmware, or combination thereof. As a non-limiting example, SMU 120 maybe partially implemented using software code to encrypt and decryptdata.

Referring now to FIG. 2 showing a block diagram of a SMU, in accordancewith some exemplary embodiments of the disclosed subject matter. SMU 120may comprise Key Storage 250 for retaining keys used by SMU 120, such asfor encryption, decryption, signature creation or validation.

SMU 120 may be configured to receive a data block being evicted fromCache Unit 110 and encrypt the data block using Encryption Module 210.Encryption Module 210 may obtain a key from Key Storage 250 that isassociated with the owner of the block being evicted (e.g., identifiedby OI). SMU 120 may be further configured to determine a signature ofthe block when being evicted, using Signing Module 220. The signaturemay be used to detect tampering and modification of the data block.Signing Module 220 may utilize a key associated with the owner andretained in Key Storage 250. In some exemplary embodiments, the SigningModule 220 may be configured to utilize an integrity preservingstructure. Signing Module 220 may be configured to initiate updates tothe integrity structure, such as in response to signing a newly evictedblock from cache.

In some exemplary embodiments, SMU 120 may be configured to receiveencrypted data block that is being fetched from Unprotected Memory 150into Cache Unit 110. SMU 120 may determine whether the data block beingfetched is of a protected program. If this is the case, the fetchedblock may be encrypted and SMU 120 may decrypt the fetched block.Decryption may be performed by Decryption Module 240, which may utilizea key associated with the owner and retained in Key Storage 250.

In some exemplary embodiments, Validation Module 230 may be configuredto obtain the signature produced for the data block (e.g., by SigningModule 220, upon eviction thereof). Validation Module 230 may re-createthe signature and compare it with the previously generated signature. Ifthe signatures differ, it may be determined that the data block wastampered with. The VM of the cache block in which the data is stored,may be set to false accordingly. Otherwise, if the validation processwas successful, VM is set to true. In some exemplary embodiments,Validation Module 230 may utilize a key associated with the owner andretained in Key Storage 250.

In some exemplary embodiments, SMU 120 may be configured to perform aresponsive action to a tamper detection. As one non-limiting example,SMU 120 may abort the tampered-with-program (e.g., code of which or dataassociated therewith is identified as tampered). In some exemplaryembodiments, SMU 120 may erase all data associated with thetampered-with-program. Additionally or alternatively, SMU 120 may issuea notification to a user, such as an owner of the tampered-with-program.

Referring now to FIG. 3 showing a block diagram of a cache unit, inaccordance with some exemplary embodiments of the disclosed subjectmatter.

Cache Unit 110 comprises a plurality of cache blocks (e.g., cache lines)(310). Each cache block is associated with a VM (320) and OI (330).

Upon fetching of an instruction or data into the cache, VM and OI valuesare also obtained, such as from SMU 120.

Access Control Block 340 may be configured to enforce access privilegesbased on VM and OI of the accessed cache block and that of theinstruction performing the access. In some exemplary embodiments, AccessControl Block 340 may be implemented within SMU 120, within Cache Unit110, or the like. Access Control Block 340 is depicted as a digitalelectronic diagram, however, other implementations, such as usingsoftware or firmware, may be used. In some exemplary embodiments,instructions have the validation mark (VM1) and owner indicator (OI1) ofits containing cache block. When an instruction tries to access memory(for either read or write), Access Control Block 340 compares the datablock's validity mark (VM2) and owner indication (OI2) with those of theinstruction (VM1,OI1), and only allows access if they both match.

In some exemplary embodiments, If VM1 and VM2 are both true, AccessControl Block 340 may enforce OI1=OI2. In such a case, both the executedprogram and the accessed data are associated with protected securitydomains. Access would be allowed only if they both are associated withthe same program.

In some exemplary embodiments, if VM1 and VM2 are both false, thenaccess may be permitted. In some exemplary embodiments, such a caseindicates both the program and the cache block are not protected and norestriction on access needs to be applied.

In some exemplary embodiments, if VM1 is false and VM2 is true, thenaccess is restricted. In some exemplary embodiments, a non-validatedinstruction may be attempting to access validated and protected data.Such an access attempt may be blocked.

In some exemplary embodiments, when VM1 is true and VM2 is false, it maybe indicative that a validated instruction attempts to access anon-validated data block. In some exemplary embodiments, access may beprevented.

In some exemplary embodiments, the access privileges may be bypassed inresponse to receiving an instruction for execution selected from a listof secure instructions. In some exemplary embodiments, some instructionsmay be a-priori deemed as secure instructions. Secure instructions maybe allowed to access, when executed in protected mode, unprotected cacheblocks. In some exemplary embodiments, the secure instructions may beinstructions that are added on top of an Instruction Set Architecture(ISA) to form an extended ISA. The program may generally utilize the ISAand not the extended ISA. In some exemplary embodiments, pre-processingmay be performed to ensure no secure instructions are used (e.g., theprogram uses the ISA and not the extended ISA). The program may beanalyzed to automatically introduce secure instructions and utilize theextended ISA, where appropriate. As the program need not (and in somecases must not) utilize the extended ISA, but rather use the ISA, theprogram may be any program that was not specifically programmed toaddress the security issues addressed by the disclosed subject matter.

In some exemplary embodiments, in order to receive services by untrustedcode, such as some OS system calls, a secure application may need toreveal some of its data. The secure instructions may allow trusted codeto bypass the Secure Access mechanism. In some exemplary embodiments,secure instructions must be authentic (e.g., VM set) in order to run. Insome exemplary embodiments, the secure instructions may comprise asecure store instruction configured to store data in a manner allowingit to be accessible to other entities other than an entity executing thesecure store instruction. In some exemplary embodiments, the securestore instruction may be SMU_StoreNA(address, data). SMU_StoreNA may beconfigured to store data into a memory block regardless of its VM, andsets its VM bit to false, making it accessible to untrusted code. Insome exemplary embodiments, the secure instructions may comprise asecure load instruction configured to load data stored by other entitiesother than an entity executing the secure load instruction. In someexemplary embodiments, the secure load instruction may beSMU_LoadNA(address). SMU_LoadNA may be configured to load data from amemory block regardless of its VM. SMU_LoadNA may be used for importinguntrusted data by trusted code. In some exemplary embodiments, thesecure instructions may comprise an initialization instructionconfigured to initialize allocated memory to be used by an entity havingthe same security domains as that of the entity executing theinitialization instruction. In some exemplary embodiments, theinitialization instruction may be SMU_InitA(addr, size). SMU_InitA maybe configured to store zeros into an entire memory region of size sizethat starts at address addr. SMU_InitA may further be configured to setVM to true for in-cache blocks; and to sign and encrypt blocks that arenot in cache. In some exemplary embodiments, the initializationinstruction may be used for initializing allocated memory, after thememory was allocated by the OS for the process, so it is accessible bytrusted code.

Referring now to FIG. 4, showing a block diagram of an execution unit,in accordance with some exemplary embodiments of the disclosed subjectmatter.

Execution Unit 130 may comprise a Instruction Execution Unit 410 forperforming the processing itself of Processor 100, SMU 120, AccessControl Block 340, any portion thereof, or the like. InstructionExecution Unit 410 may be associated with an instruction set that isgeneral and not specific for secured execution platforms. In someexemplary embodiments, Instruction Execution Unit 410 may utilize anextension of a general-purpose instruction set, such as includingadditional instructions used for specific purposes. In some exemplaryembodiments, the programmer need not explicitly use any of theadditional instructions, but rather, pre-processing may be performed toinstrument the program with the additional instructions.

In some exemplary embodiments, the extension may include any of thefollowing:

Setup and Results Instructions

SMU_GenKeys( ) which may be configured to generate a pair ofpublic-private keys (PbK, PrK). In some exemplary embodiments, thereturn value may be PbK, signed by the SMU.SMU_StoreKeys(PbK, enc[SymK && HashK], phash, FirstLEP), which mayperform public key decryption enc[Skey && Mkey, by PbK] using PrK andstore the keys, phash, and FirstLEP in a table entry.

SMU_SetPID(phash), which may report an error if no table entry withphash exists. Otherwise, the current PID may be set in the found entry.In some cases, SMU_SetPID may destroy any remnants of an existing SMUentry with the same PID, and purge such blocks in the cache.

SMU_GetResults(PID, rand), which may return PID's error status padded byrand and signed & encrypted with Skey & Mkey.

Context Switch Instructions

SMU_EvictContext( ) which may evict the content of the Secure Storage430 to a memory location.SMU_RestoreContext(PID), which may load the content of the SecureStorage 430 from a memory location.

New Load/Store Instructions

The new load/store instructions may be limited to be executable only ifVM of the instructions is set.SMU_StoreNA (address, data), which stores data into a memory blockregardless of the block's VM, and resets its VM bit.SMU_LoadNA (address), which loads data from a memory block whose VM isFalse.SMU_InitA(addr, size), which fills a memory block with ‘0’s regardlessof its VM, and sets its VM bit. In some exemplary embodiments. SMU_InitAmay be used along with write-no-allocate instruction.SMU_syscall (argnum), which may call a system call, and leaves argnumregister-arguments in place on mode change.

Instruction Execution Unit 410 may be coupled to Registers 420.Registers 420 may be capable of retaining data. Instruction ExecutionUnit 410 may be configured to load data into registers, performarithmetic operations and manipulations on the content of the registersusing machine instructions. Registers 420 may therefore revealinformation regarding the processed data, outcome, code or the like. Insome exemplary embodiments, Registers 420 may comprise an instructionpointer or program counter indicating a next instruction to be executed.Content of Registers 420 may be viewed as a state of InstructionExecution Unit 410.

In some exemplary embodiments, instructions are fetched into ExecutionUnit 130 along with the VM and OI of its containing cache block. TheSecure State Module 440 may track whether Execution Unit 130 isoperating in trusted or untrusted mode. Execution Unit 130 may operatein trusted mode when execution an instruction having its VM set to true.In some exemplary embodiments, Secure State Module 440 may retain the OIand VM of the last instruction fetched for execution (denoted as{VM_last, OI_last}). When a new instruction, inst1, with {VM1,OI1} isfetched into the execution unit, {VM1,OI1} are compared with {VM_last,OI_last}. If different (e.g., (VM_last≠VM1 or OI_last≠OI1), then theexecution of instr1 may be delayed until the content of Registers 420 iscopied to Secure Storage 430 with an ID={VM_last,OI_last} (hereaftercontext{VM_last,OI,last}), and erased from Registers 420. Values ofRegisters 420 may be restored to the ones stored in Secure Storage 430with ID={VM1,OI1} (context{VM1,OI1}), if exists; if doesn't exist, thenthe values of Registers 420 are partially or fully reset to a predefinedvalue, and some of their values may be preserved.

In some exemplary embodiments, when Secure State Module 440 changes tountrusted mode, the Secure State Module 440 may first store the contentsof Registers 420 in the Secure Storage 430, clears them, and changes thestack pointer to the non-secure memory region that acts as thenon-secure stack. In some exemplary embodiments, clearing the content ofRegisters 420 may comprise deleting their values, modifying their valuesso as to change their content, setting values of the registers todefault values, or the like. In some exemplary embodiments, Secure StateModule 440, Secure Storage 430, or the like, may store the address ofthe next authentic instruction to execute, referred to as Legal EntryPoint (LEP), the Process Identifier (PID) of the running process, andset a validity mark for the content of the Secure State Module 440.Then, the non-authentic (untrusted) code may execute safely. In someexemplary embodiments, an attempt to execute an authentic instruction inuntrusted mode only succeeds if its address matches the process' LEP andthe data in the Secure Storage 430 is valid and matches the PID. If so,the Secure State Module 440 may restore the values of Register 420 andthe secure stack pointer (the secret context) from the Secure Storage430, and changes the process to trusted mode; else the program halts andan error is declared. In both cases, the content of Secure Storage 430is invalidated. By so doing, the SMU verifies that the secure programhas resumed from its expected point of execution with the correctregister values. In some exemplary embodiments, upon initiating a secureprogram, the Secure State Module 440 may create an empty secret contextin the Secure Storage 430; only during the first switch to trusted mode,the register values are preserved, but the entry point may be enforced.

In some exemplary embodiments, for some groups of IDs (e.g.,ID={VM=false,OI=*}) Registers 420 need not to be saved for restoration(e.g. always save and restore zero).

In some preferred embodiments, Secure State Module 440 may conditioncontent restoration upon the values of some attributes of inst1 (e.g.only restore context{VM1,OI1} for instr1, ifcontext{VM1,OI1}.RegisterX==instr1(address), or a predefined offset toit).

In some exemplary embodiments, only a proper subset of Registers 420 maybe erased, and a remaining proper subset of Registers 420 may beavailable to a next instruction of a different security domain. In someexemplary embodiments, some Registers 420 may be used to pass argumentsto statically linked shared library functions, system calls, or thelike. In such a case, values of some of the Registers 420 may bepreserved. In some cases, the instruction may be analyzed on the fly todetermine whether, which and how many registers are being so used.Additionally or alternatively, automated pre-processing may be performedto replace the instruction with a designated instruction that staticallyindicates the number of registers to be preserved, such asSMU_syscall(argnum), discussed above. In some exemplary embodiments,when returning to trusted mode for the same program, the content of theregisters that were not preserved may not be restored.

Referring now to FIGS. 5A-5B showing a flowchart diagram of a method inaccordance with the disclosed subject matter.

In Step 500, a first instruction to be executed is obtained from thecache, together with its VM and OI (VM1, OI1). In some exemplaryembodiments, the VM indicates that the instruction is executed within asecurity domain of OI1.

In Step 510, the first instruction is executed by the execution unit. Asa result of the execution of the first instruction, the registers may beupdated and their content may reflect the data used or produced by theprogram.

In Step 520, a second instruction to be executed is obtained, togetherwith its VM and OI (VM2, OI2).

If the security domain of the second instruction is the same as that ofthe first instruction, Step 510 may be repeated with the secondinstruction (i.e., execute the second instruction). After suchexecution, an additional instruction may be obtained. In case thesecurity domain is different (530), Step 540 may be performed.

In Step 540, content of the registers may be stored in a secure storage,in accessible to instructions executed by the execution unit. In someexemplary embodiments, only a proper subset of the registers may bestored, such as by omitting several registers that are used by the firstinstruction to intentionally provide information to the secondinstruction. In some exemplary embodiments, the determination of thesubset may be based on the second instruction, which may explicitly orimplicitly indicate which registers' values should be maintained in thesecond security domain. In some exemplary embodiments, an indication ofwhich registers were stored may be stored as well, and used toselectively restore only the content of the registers which was stored.

In Step 550, a next instruction address may be determined and stored inthe secure storage. The next instruction address, also referred to asLegal Entry Point (LEP), may be determined based on the value of theinstruction pointer.

In Step 560, content of the registers may be cleared. In some exemplaryembodiments, content of some registers may be maintained, such as theregisters indicated to be used for passing arguments to the differentsecurity domain.

In Step 570, the second instruction may be executed. Because the secondinstruction is executed after the registers are cleared, there is nounintentional data leakage through the registers.

For completeness it is noted, that prior to executing the secondinstruction, values of the registers for the security domain may berestored, such as explained with respect to Steps 582-588. In someexemplary embodiments, the register values for each register whosecontent was cleared may be restored, if the value of the register forthe security domain is stored within the secure storage, such as becausebefore the first instruction was executed, the active security domainwas that of the second instruction.

In Step 580, a third instruction, along with its VM and OI may beobtained.

Instructions may be obtained and executed as long as the same securitydomain is maintained (Loop 580-582-583-580). For example, if thesecurity domain is of the same protected program, instructions may beexecuted repeatedly. As another example, if the security domain isunprotected program then, regardless of the owner of the instructions,all instructions may be executed until reaching a first instruction of aprotected program. For clarity of the disclosure, it is assumed thatwhen a different security domain is identified, it is the securitydomain of the first instruction.

In Step 584, the address of the third instruction is compared with theLEP for the security domain. If the address is different than the LEP,there is a risk of a program flow tampering attempt, and execution maybe halted (586). Additionally or alternatively, an owner of the programmay be notified and informed of the identified risk.

In Step 588, and in case the address matches the LEP, content of theregisters is restored. The content is retrieved from the secure storageand set to the registers, thereby restoring the machine state of theprocessor. In case no value was stored for some of the registers, thecontent of such registers may not be updated and it may persist from theprevious security domain. In some cases, the content may only persist ifthe previous security domain was an unsecure domain. In some cases, thevalue of the last unsecure domain may be restored, thereby restoring thelatest content of the register which the present security domain isprivileged to access.

In Step 590, the third instruction is executed.

Referring now to FIG. 6 showing a flowchart diagram of a method inaccordance with the disclosed subject matter.

In Step 600, an instruction is obtained together with VM1 and OI1. Insome exemplary embodiments, the instruction may access a memory block.

In Step 610, a cache block to be accessed by the instruction isidentified.

In Step 620, VM2 and OI2 of the identified cache block is retrieved.

In Step 630, it is determined whether the security domain of {VM1,OI1}is the same as that of {VM2,OI2}. If so, the instruction is executed(650). Otherwise, a tampering attempt is detect, whether tampering withthe code or data of the protected program, or an attempt to access thedata of the protected program by another program. Execution may behalted (640) to prevent potential data leakage. Additionally oralternatively, an event may be logged, or otherwise a record may beretained. In some cases, the user may be notified of such an event.

The present invention may be a system, a method, and/or a computerprogram product. The computer program product may include a computerreadable storage medium (or media) having computer readable programinstructions thereon for causing a processor to carry out aspects of thepresent invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language such as Smalltalk, C++ or the like, andconventional procedural programming languages, such as the “C”programming language or similar programming languages. The computerreadable program instructions may execute entirely on the user'scomputer, partly on the user's computer, as a stand-alone softwarepackage, partly on the user's computer and partly on a remote computeror entirely on the remote computer or server. In the latter scenario,the remote computer may be connected to the user's computer through anytype of network, including a local area network (LAN) or a wide areanetwork (WAN), or the connection may be made to an external computer(for example, through the Internet using an Internet Service Provider).In some embodiments, electronic circuitry including, for example,programmable logic circuitry, field-programmable gate arrays (FPGA), orprogrammable logic arrays (PLA) may execute the computer readableprogram instructions by utilizing state information of the computerreadable program instructions to personalize the electronic circuitry,in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the block may occur out of theorder noted in the figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of the invention. Asused herein, the singular forms “a”, “an” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “comprises”and/or “comprising,” when used in this specification, specify thepresence of stated features, integers, steps, operations, elements,and/or components, but do not preclude the presence or addition of oneor more other features, integers, steps, operations, elements,components, and/or groups thereof.

The corresponding structures, materials, acts, and equivalents of allmeans or step plus function elements in the claims below are intended toinclude any structure, material, or act for performing the function incombination with other claimed elements as specifically claimed. Thedescription of the present invention has been presented for purposes ofillustration and description, but is not intended to be exhaustive orlimited to the invention in the form disclosed. Many modifications andvariations will be apparent to those of ordinary skill in the artwithout departing from the scope and spirit of the invention. Theembodiment was chosen and described in order to best explain theprinciples of the invention and the practical application, and to enableothers of ordinary skill in the art to understand the invention forvarious embodiments with various modifications as are suited to theparticular use contemplated.

What is claimed is:
 1. A cache unit comprising computer readable medium,wherein said cache unit is configured to retain: a plurality of cacheblocks; a plurality of owner indicators, wherein for each cache block ofthe plurality of cache blocks exists a corresponding owner indicator inthe plurality of owner indicators, wherein an owner indicatorcorresponding to a cache block is capable of identifying an entity thatcaused the cache block to be fetched to the cache unit; and a pluralityof validity marks, wherein for each cache block of the plurality ofcache blocks exists a corresponding validity mark in the plurality ofvalidity marks, wherein a validity mark corresponding to the cache blockindicates whether a validation process performed on the cache block uponfetching thereof was successful.
 2. The cache unit of claim 1, wherein afirst dataset and a second dataset concurrently reside unencrypted inthe plurality of cache blocks, wherein the first dataset is associatedwith a first entity, wherein the second dataset is associated with asecond entity, wherein the second entity is prohibited from accessingthe first dataset.
 3. The cache unit of claim 2, wherein the firstentity is prohibited from accessing the second dataset.
 4. The cacheunit of claim 2, wherein the first dataset comprises one or more cacheblocks comprising program instructions that are to be executed by thefirst entity, and wherein the first dataset comprises one or more cacheblocks comprising data that is written by the first entity.
 5. The cacheunit of claim 1 further comprising a key storage retaining a pluralityof keys, each of which is associated with a different entity, whereinthe validation process is performed using a key retained in the keystorage, wherein the key is associated with the entity, wherein the keystorage and the plurality of cache blocks are retained in a securestorage.
 6. An apparatus comprising the cache unit of claim 1, whereinsaid apparatus further comprising a Security Management Unit (SMU),wherein said SMU is configured to perform the validation process uponfetching of a cache block into the cache unit.
 7. The apparatus of claim6, wherein said SMU is further configured to sign a cache block uponcache block eviction from the cache unit to produce a signature, whereinthe validation process is based on the signature produced by said SMUupon eviction.
 8. An apparatus comprising the cache unit of claim 1,wherein said apparatus further comprises a Security Management Unit(SMU), wherein said SMU is configured to utilize the plurality of ownerindicators and the plurality of validity marks to enforce accessprivileges to the plurality of cache blocks.
 9. The apparatus of claim8, wherein said SMU is configured to bypass the access privileges inresponse to receiving an instruction for execution selected from a listof secure instructions.
 10. The apparatus of claim 9, wherein the listof secure instructions comprises: a secure store instruction configuredto store data in a manner allowing it to be accessible in securitydomains different than a security domain in which the secure storeinstruction is executed; a secure load instruction configured to loaddata stored in security domains different than a security domain inwhich the secure load instruction is executed; and an initializationinstruction configured to initialize allocated memory to be used by anentity executing the initialization instruction.
 11. An apparatuscomprising the cache unit of claim 1, wherein said apparatus furthercomprising a Security Management Unit (SMU), wherein said SMU isconfigured to enforce access privileges that couple instructions anddata retained in the plurality of cache blocks using the plurality ofowner indicators and the plurality of validity marks.
 12. An apparatuscomprising the cache unit of claim 1, wherein said apparatus furthercomprising a Security Management Unit (SMU) and a computer-useablemedium, wherein said SMU is configured to assign and set values to theplurality of validity marks and to the plurality of owner indicatorsduring fetching of corresponding data blocks into said cache unit,wherein said SMU is configured to encrypt a cache block upon evictionfrom said cache unit into the computer-useable medium, and wherein saidSMU is configured to decrypt a data unit upon fetching the data unitfrom the computer-useable medium into said cache unit.
 13. The apparatusof claim 12, wherein said SMU is configured to encrypt the cache blockupon eviction from said cache unit only in response to the cache blockbeing associated with a validity mark indicating a successful validationprocess of the cache block.
 14. An apparatus comprising the cache unitof claim 1, wherein said apparatus further comprising an execution unit,wherein said execution unit comprises a set of registers for retainingvalues, wherein the set of registers are configured to be used duringexecution of instructions by said execution unit; wherein said executionunit is configured to receive an instruction, an instruction validitymark, and an instruction owner indicator, wherein the instruction is aninstruction to be executed by said execution unit and configured to readfrom a cache block in the plurality of cache blocks, wherein theinstruction validity mark is a validity mark that corresponds the cacheblock, and wherein the instruction owner indicator is an owner indicatorthat corresponds the cache block; and wherein said execution unit isconfigured to erase content in at least a portion of the set ofregisters based on at least one of the instruction validity mark and theinstruction owner indicator.
 15. The apparatus of claim 14, wherein saidexecution unit is configured to erase the content in at least a portionof the set of registers based on the instruction validity markindicating an unsuccessful validation process of the instruction. 16.The apparatus of claim 14, wherein said execution unit is configured toerase the content in at least a portion of the set of registers based onthe instruction owner indicator indicating a different owner than asecond instruction owner indicator associated with a previousinstruction preceding the instruction.
 17. The apparatus of claim 14further comprising a secure storage, wherein said execution unit isconfigured to copy the content of the at least a portion of the set ofregisters to said secure storage prior to erasing the content, whereinsaid execution unit is configured to restore the content of the at leasta portion of the set of registers from said secure storage in responseto receiving a second instruction, a second instruction validity markand a second owner indicator, based on the second instruction validitymark indicating a successful validation process of the secondinstruction and based on the second owner indicator indicating a sameowner as a third owner indicator that is associated with a thirdinstruction preceding the instruction.
 18. The apparatus of claim 17,wherein said execution unit is configured to verify that an attribute ofthe second instruction matches an expected attribute, before restoringthe content of the at least a portion of the set of registers.
 19. Theapparatus of claim 18, wherein the attribute of the second instructionis an address of the second instruction, and wherein the expectedattribute is an expected next address.
 20. The apparatus of claim 14,wherein the content is values of a proper subset of the set ofregisters, whereby protecting values of a portion of the set ofregisters excluding the proper subset from being accessed byunauthorized instructions, and whereby enabling passing of argumentsfrom secure domain to unsecure domain via the proper subset.
 21. Amethod comprising: obtaining an instruction for execution from a firstcache block; obtaining a first validity mark and a first owner indicatorassociated with the first cache block; in response to the instruction,when executed, attempting to access a second cache block: obtaining asecond validity mark and a second owner indicator associated with thesecond cache block; determining an access privilege of the instructionto the second cache block based on at least two of the first validitymark, the first owner indicator, the second validity mark and the secondowner indicator; and enforcing the access privilege.
 22. The method ofclaim 21, wherein said determining the access privilege comprisesdetermining to prevent access in response to at least one of thefollowing: the first validity mark and the second validity mark indicatesuccessful validation and the first owner indicator is different thanthe second owner indicator; the first validity mark indicatesunsuccessful validation and the second validity mark indicatessuccessful validation; and the first validity mark indicates successfulvalidation, the second validity mark indicates unsuccessful validationand the instruction is not selected from a predetermined group of secureinstructions.
 23. A method performed by a processor, wherein theprocessor comprising a cache unit retaining a plurality of cache blocksand a set of registers, wherein said method comprising: obtaining afirst instruction for execution from a first cache block; obtaining afirst validity mark and a first owner indicator associated with thefirst cache block; determining a first security domain based on thefirst validity mark and the first owner indicator; executing the firstinstruction to set a first state of the processor; obtaining a secondinstruction for execution from a second cache block; obtaining a secondvalidity mark and a second owner indicator associated with the secondcache block; determining a second security domain based on the secondvalidity mark and the second owner indicator; in response to determiningthe second security domain is different than the first security domain:storing, in a secure storage, content of at least a portion the set ofregisters; storing, in a secure storage, an address of next instructionin the first security domain; and after said storing content and storingthe address, modifying the content of the at least a portion of the setof registers; after said modifying, executing the second instruction toset a second state of the processor; obtaining a third instruction forexecution from a third cache block; obtaining a third validity mark anda third owner indicator associated with the third cache block;determining a third security domain based on the third validity mark andthe third owner indicator; in response to determining the third securitydomain is the first security domain: restoring, from the secure storage,the content of the at least portion of the set of registers, therebyrestoring the first state of the execution unit; and verifying anaddress of the third instruction matches the address of the nextinstruction in the first security domain retained in the secure storage;and executing the third instruction on the first state of the executionunit.